What to do when your IT provider vanishes

In the ever-changing tech landscape, service interruptions and company disappearances are more common than CIOs would like. Sometimes a provider proposes a solution based on technology that swiftly becomes obsolete, or just can’t move fast enough when a more promising solution emerges. According to capital management solutions firm Carta, in Q1 this year, startup bankruptcies increased by 58% compared to the same time in 2023.

Emerging companies such as Olive AI, developer of an administrative task automation system for health centers, or Plastiq, an online payment platform, obtained important rounds of financing, only then to declare bankruptcy. Other times, it’s a specific service that changes. IBM, for example, decided in 2022 to get rid of its Watson Health unit, which integrated AI in healthcare, to focus on the cloud and its core AI technology.

What happens when a supplier goes under 

The disappearance of a company that supplies technological assets to your enterprise can present huge challenges, especially if it has supplied a significant part of the infrastructure. “The consequences can vary, from interruptions in manufacturing that can directly affect the supply of the product, to the loss of data or the need to migrate to new platforms, which generates additional costs, or causes damage to the corporate image,” says Raquel García, IT manager at science and technology company Merck.

From a legal standpoint, a number of relevant consequences may arise, adds Rafael García del Poyo, a lawyer and managing partner of the IT/IP Law Department at Osborne Clarke in Spain.

“If, for example, there’s an immediate or gradual interruption of essential services provided by the client company, there’ll surely also be effects on daily operations or business continuity that may result in chain breaches of contract,” he says. This, he adds, could lead to litigation and claims for damages initiated by affected third parties, which, in turn, would require an urgent search for an alternative provider, more cost, renegotiations of new contracts, and possible losses of data or critical information. The client company must also consider the possibility of recovering payments, and could be entitled to claim compensation or participate in the liquidation process.

What to do when services cease

Initially, and as far as possible, it’s critical to activate business continuity clauses with suppliers, says García.

“We must evaluate the impact of the discontinued service and look for alternatives based on that assessment,” she says, adding she’s been in situations like this before. “In one case, it was a supplier of an application that managed a crucial activity with hospitals, which maintained support until we managed to migrate to another platform. In another, an external data center was dismantled after being acquired by another company. We had another data center from a different provider, which allowed us to move the entire infrastructure to this second one, thus minimizing the impact on our operation.”

García’s response to these challenges includes some of the basic actions when there’s disruption to the supply of IT resources: looking for an alternative as quickly as possible, and maintaining a supplier strategy that’s not limited to a single company. del Poyo also stresses the importance of organization, acting quickly, and practicing interdepartmental collaboration to identify and prioritize the critical needs of the company and its end users. “The ultimate goal must be to ensure that any interruption of services provided is minimal and short-lived so consequences arising from a potential breach of contract are few or very limited,” he says. This will help to not only mitigate immediate risks, but strengthen long-term resilience.

It may happen that sensitive information is affected in this process, so it’s crucial that client companies agree on measures to protect these assets during the execution of the contract. “If data is lost or compromised due to a breach attributable to the supplier, the consequences can be serious and of very diverse scope both in contractual and regulatory matters,” says del Poyo. He recalls the obligations imposed by the GDPR when dealing with personal data, which make it essential to establish both preventive measures and robust response plans. The consequences of poor management can range from interruption of business operations and loss of critical information, to financial losses derived from the effects on the company’s reputation. “Moreover, the mere activity of recovering lost data can be very costly in terms of time and money,” he says. 

Another possibility is that the company that disappears is a reseller. In this case, there may also be legal consequences for the client company, although possibly less significant. “There’s always the possibility of entering into discussions directly with the main provider of the contracted technological services,” says del Poyo.

The importance of good planning

This work prior to any debacle is essential when it comes to managing it with greater success. So too are robust vendor management practices. García highlights the need to have contracts that include business continuity clauses and contingency plans, supported by other alternative procedures. “It’s not possible to develop proactive plans for all services, so we must carry out a risk analysis to identify critical services and evaluate the impact of their possible discontinuation, and establish a specific plan,” she says. This may include, for example, diversifying suppliers that, in her case, was useful when the data center she worked with was dismantled.

She points to other proactive strategies to deal with this situation, such as using standard platforms that are compatible across multiple vendors to streamline migration if there’s a change of vendor. Implementing data backup strategies and disaster recovery plans, establishing a vendor monitoring system, and maintaining clear documentation of processes and configurations can also be helpful. Plus, regular vendor audits and contract reviews can be conducted.

del Poyo also agrees on the need for a well-developed contingency plan, with clear procedures for data recovery, continuity of services, management of internal and external communication, the need for ongoing risk assessment, and establishing solid relationships with suppliers to detect potential problems.

Preventive measures are necessary, he says, especially during the service contracting process, which includes a careful assessment of the technical solvency and financial stability of the suppliers with whom the company is going to work before the contract is signed. “It’s essential that companies receiving technological services ensure their contracts include protection clauses,” he says, such as service level agreements, punitive consequence, or contingency plans that can help mitigate the risks associated with the bankruptcy or disappearance of a supplier.

Once collaboration has been established, del Poyo calls for maintaining constant and open communication to facilitate detection of early signs of technical or financial problems. This channel must also reach those people or companies that are end users of the client company. The moment of panic upon learning that a supplier is disappearing is surely inevitable, but there are mechanisms to ensure it’s only a fleeting one and doesn’t drag on.